Return-Path: <commits-return-194092-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 716F2200C5A
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 18 Apr 2017 13:59:45 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 70066160BA1; Tue, 18 Apr 2017 11:59:45 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B5452160B90
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 18 Apr 2017 13:59:44 +0200 (CEST)
Received: (qmail 62214 invoked by uid 500); 18 Apr 2017 11:59:43 -0000
Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cassandra.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cassandra.apache.org>
List-Post: <mailto:commits@cassandra.apache.org>
List-Id: <commits.cassandra.apache.org>
Reply-To: dev@cassandra.apache.org
Delivered-To: mailing list commits@cassandra.apache.org
Received: (qmail 62203 invoked by uid 99); 18 Apr 2017 11:59:43 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Apr 2017 11:59:43 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5AFCBC06D2
	for <commits@cassandra.apache.org>; Tue, 18 Apr 2017 11:59:43 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id VS1z-GTVODC9 for <commits@cassandra.apache.org>;
	Tue, 18 Apr 2017 11:59:42 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 5DE4B5F576
	for <commits@cassandra.apache.org>; Tue, 18 Apr 2017 11:59:42 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id EFADBE06BB
	for <commits@cassandra.apache.org>; Tue, 18 Apr 2017 11:59:41 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id A6E1621B46
	for <commits@cassandra.apache.org>; Tue, 18 Apr 2017 11:59:41 +0000 (UTC)
Date: Tue, 18 Apr 2017 11:59:41 +0000 (UTC)
From: "Stefan Podkowinski (JIRA)" <jira@apache.org>
To: commits@cassandra.apache.org
Message-ID: <JIRA.13063576.1492020708000.305132.1492516781681@Atlassian.JIRA>
In-Reply-To: <JIRA.13063576.1492020708000@Atlassian.JIRA>
References: <JIRA.13063576.1492020708000@Atlassian.JIRA> <JIRA.13063576.1492020708308@jira-lw-us.apache.org>
Subject: [jira] [Commented] (CASSANDRA-13440) Sign RPM artifacts
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 18 Apr 2017 11:59:45 -0000


    [ https://issues.apache.org/jira/browse/CASSANDRA-13440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972550#comment-15972550 ] 

Stefan Podkowinski commented on CASSANDRA-13440:
------------------------------------------------


Signatures can be used for both repository transport integrity protection and end-to-end content verification. 

Providing a signature for {{repomd.xml}} allows clients to verify the repository's meta-data. But you'll have to enable this by adding {{repo_gpgcheck=1}} to the yum config. 

Individual package files can also contain a signature in the RPM header. This can be done either during the build process ({{rpmbuild --sign}}) or afterwards on the final artifact. As the RPM should be build using docker and just create the RPMs at the end without intervention, we probably have to go with the later option here. I'd suggest to use the rpmsign wrapper ({{yum install rpm-sign}}) and use it on the package, e.g.:
{{rpmsign -D '%_gpg_name MyAlias' --addsign cassandra-3.0.13-1.noarch.rpm}}

Verifying package signatures requires to import the public keys first:
{{rpm --import https://www.apache.org/dist/cassandra/KEYS}}

Afterwards the following command should report "OK" for included hashes and gpg signatures:
{{rpm -K cassandra-3.0.13-1.noarch.rpm}}

Once the RPM is signed, we can enable {{gpgcheck=1}} again for the repo config. If enabled, both the import key and verification steps should take place automatically during installation from the yum repo.

> Sign RPM artifacts
> ------------------
>
>                 Key: CASSANDRA-13440
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13440
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Packaging
>            Reporter: Stefan Podkowinski
>
> RPMs should be gpg signed just as the deb packages. Also add documentation how to verify to download page.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)